b'Memorandum from the Office of the Inspector General\n\n\n\nMay 30, 2008\n\nE. Wayne Robertson, SP 5A-C\n\nFINAL REPORT - SPECIAL PROJECT\nREVIEW OF TVA\xe2\x80\x99S PROCESS FOR HANDLING\nLOST OR STOLEN COMPUTERS\nOIG FILE NO. 20Z-315\n\n\n\nAttached is the subject final report for your review and final action. Your written\ncomments, which addressed your management decision and actions planned or\ntaken, have been included in the report. Please notify us when final action is\ncomplete.\n\nIf you have any questions, please contact me at (865) 632-3119 or Curtis D. Phillips,\nSupervisory Special Agent, at (865) 632-2584. We appreciate the courtesy and\ncooperation received from your staff during this review.\n\n\n\nJohn E. Brennan\nAssistant Inspector General\n  (Investigations)\nET 4C-K\n\nCDP:JEB:MSW\nAttachment\ncc (Attachment):\n      William R. Brandenburg, Jr., MP 3B-C\n      Tom D. Kilgore, WT 7D-K\n      Ralph Edward King, WT 5A-K\n      Melissa A. Livesey, WT 5B-K\n      John E. Long, Jr., WT 7B-K\n      Janice W. McAllister, EB 5B-C\n      Gabrielle Anita Ratliff, WT 5B-K\n      Emily J. Reynolds, OCP 1L-NST\n      OIG File No. 20Z-315\n\x0cReview of TVA\xe2\x80\x99s Process for\nHandling Lost\nor Stolen Computers\n\n\n     SPECIAL PROJECT \xe2\x80\x93 20Z-315\n             May 30, 2008\n\x0cSynopsis\n    \xc2\x8b   We initiated a special project to determine if (1) TVA\xe2\x80\x99s policies, procedures, and\n        practices for handling lost or stolen computer equipment were adequate; (2) those\n        policies, procedures, and practices were followed; and (3) the lost or stolen computers\n        contained sensitive or restricted information. We found:\n         \xe2\x80\x93    TVA\xe2\x80\x99s policies, practices, and procedures for maintaining an accurate inventory of\n              computer equipment were not adequate. Since the August 2004 implementation\n              of the HP Service Desk (HPSD), which contains an inventory of TVA computers,\n              TVA has been unable to track over 5,550 computers. The inability to adequately\n              track, as well as the lack of encryption, on these computers increases the risk for\n              the disclosure of sensitive or restricted information.\n         \xe2\x80\x93    The policies for handling/reporting stolen computers were not consistently\n              followed.\n         \xe2\x80\x93    At least one of the stolen computers contained personally identifiable information\n              (PII)\xe2\x80\x94employee social security numbers. We have not been able to confirm\n              whether the remaining stolen computers contained sensitive or restricted\n              information, although we believe the risk is moderate.\n\n\n\n             *\xe2\x80\x9dSensitive and \xe2\x80\x9crestricted\xe2\x80\x9d information are defined in Business Practice 29. Sensitive information includes\n               Safeguards information and restricted information includes PII.\n\n\n                                                                 2\n\x0cSynopsis (continued)\n\n    \xc2\x8b   In a response to a draft of this report, management agreed with our recommendations,\n        but disagreed with the characterization that TVA was unable to track over 5,000\n        computers. That response is attached.\n    \xc2\x8b   We disagree with management\xe2\x80\x99s position that they were able to track the computers in\n        \xe2\x80\x9clost\xe2\x80\x9d or \xe2\x80\x9cwrite-off\xe2\x80\x9d status. If management was able to track the missing computers, they\n        should have recorded the correct status in HPSD, their inventory management system.\n\n\n\n\n                                                 3\n\x0cObjective, Scope, and Methodology\n    Objective\n    \xc2\x8b   The objective was to determine if:\n         \xe2\x80\x93   TVA\xe2\x80\x99s policies, procedures, and practices for handling lost or stolen computer\n             equipment were adequate\n         \xe2\x80\x93   The policies, procedures, and practices were being followed\n         \xe2\x80\x93   The lost or stolen computers contained sensitive or restricted information\n    Scope and Methodology\n    \xc2\x8b   Selected the period of May 1, 2006, to November 30, 2007, for the review of computers\n        reported stolen to TVAP, information from HPSD for January and March 2008 showing the\n        number of computers designated as \xe2\x80\x9clost,\xe2\x80\x9d and a change request for May 2006 showing\n        the number of computers reclassified from \xe2\x80\x9clost\xe2\x80\x9d to \xe2\x80\x9cwrite-off.\xe2\x80\x9d\n    \xc2\x8b   Reviewed TVA\xe2\x80\x99s policy, procedures, and practices for handling computer security incidents\n        which include the handling of computers reported stolen\n    \xc2\x8b   Reviewed the policy and procedures for maintaining records for personal computer life\n        cycle in HPSD\n    \xc2\x8b   Consulted TVAP and HPSD to identify the universe of the lost or stolen computers\n    \xc2\x8b   Interviewed TVA employees who reported a computer theft to TVAP\n    \xc2\x8b   Interviewed Information Services (IS) senior managers responsible for HPSD\n\n\n                                                    4\n\x0cBackground\n\n   How HPSD Tracks Inventory\n   \xc2\x8b   TVA utilizes HP Service Desk (HPSD) in conjunction with the System Management Server (SMS) to\n       track the inventory and life cycle of computers. The system tracks configuration changes, service calls,\n       software upgrades, and other information through the life cycle of a computer. Specifically:\n\n\n        \xe2\x80\x93    SMS scans the network on regularly scheduled intervals to identify PCs connected to the network.\n        \xe2\x80\x93    SMS passes the information it collects to HPSD.\n        \xe2\x80\x93    If SMS does not find a device that was formerly on the network, it records the device as lost in\n             SMS and maintains the record for 30 days.\n        \xe2\x80\x93    When SMS deletes the record for the lost computer, HPSD changes the \xe2\x80\x9cMarked Lost Date\xe2\x80\x9d in its\n             database to the current date, but continues to retain the current status of the computer.\n        \xe2\x80\x93    After 60 days, HPSD changes the status of the computer to \xe2\x80\x9clost.\xe2\x80\x9d\n        \xe2\x80\x93    If the computer is reattached to the network and rediscovered by SMS, it is reentered in HPSD\n             with a status of \xe2\x80\x9cproduction.\xe2\x80\x9d\n        \xe2\x80\x93    A Change/Work Order is requested to change the status of a computer from production to\n             \xe2\x80\x9cremoved\xe2\x80\x9d when the computer is sent to Procurement to be retired (and subsequently surplused).\n        \xe2\x80\x93    The status is changed to retired only when Procurement liquidates the computer.\n\n\n\n\n                                                         5\n\x0cBackground (continued)\n    TVA Policy\xe2\x80\x94Stolen Computers\n    \xc2\x8b   TVA\xe2\x80\x99s Computer Security Incident Handling Procedure and related training\n        material define a computer security incident to include the theft of computer\n        equipment\n    \xc2\x8b   The policy also establishes the following roles and responsibilities for\n        handling computer thefts\n         \xe2\x80\x93 End-user reports the theft to the IT Service Center (ITSC), IT Security,\n           TVA Police (TVAP), or OIG\n         \xe2\x80\x93 ITSC, TVAP, or OIG reports the incident to IT Security\n         \xe2\x80\x93 IT Security staff:\n              \xc2\x8b   May serve as the Incident Commander\n              \xc2\x8b   Performs an initial assessment\n              \xc2\x8b   Develops an incident response plan, if necessary\n              \xc2\x8b   Maintains an incident database\n              \xc2\x8b   Reports the incident, as appropriate\n\n\n                                                   6\n\x0cFinding 1\xe2\x80\x94Inadequate Process for\nTracking Computers\n    \xc2\x8b   TVA\xe2\x80\x99s policies, procedures, and practices for maintaining an accurate inventory record\n        of personal computers in HPSD were not adequate. Since the August 2004\n        implementation of the HPSD, TVA has been unable to track over 5,550 computers.\n         \xe2\x80\x93   IS personnel agreed their inventory process was not working correctly and stated\n             a significant number of the computers classified as \xe2\x80\x9clost\xe2\x80\x9d were misclassified\n         \xe2\x80\x93   IS implemented HPSD in August 2004 to maintain an inventory and track the\n             lifecycle of PCs on the network. Since that time:\n               \xc2\x8b   IS moved 5,031 PCs from a \xe2\x80\x9clost\xe2\x80\x9d status to a \xe2\x80\x9cwrite-off \xe2\x80\x9c status in May 2006.\n                     \xe2\x80\x93 Management defined \xe2\x80\x9clost\xe2\x80\x9d status as PCs no longer connected to the\n                       network.\n                     \xe2\x80\x93 Management used the \xe2\x80\x9cwrite-off\xe2\x80\x9d status to record a one-time move of\n                       PCs from \xe2\x80\x9clost\xe2\x80\x9d as management began to disposition for lifecycle\n                       management.\n               \xc2\x8b   At the end of March 2008, HPSD reflects 3,014 computers in \xe2\x80\x9clost\xe2\x80\x9d status\n                   and 2,536 in \xe2\x80\x9cwrite-off\xe2\x80\x9d status for a total of 5,550.\n\n\n\n\n                                                  7\n\x0cFinding 1\xe2\x80\x94Inadequate Process for\nTracking Computers (continued)\n    \xc2\x8b   In the attached response, management disagreed with the characterization that\n        TVA was unable to track over 5,000 computers. Management advised the \xe2\x80\x9clost\xe2\x80\x9d\n        and \xe2\x80\x9cwrite-off\xe2\x80\x9d status were used only for lifecycle purposes and they would\n        introduce a \xe2\x80\x9cnot connected\xe2\x80\x9d status to better reflect the status of computers.\n        Management further stated they had properly dispositioned 1,428 computers.\n    \xc2\x8b   We disagree with management\xe2\x80\x99s position that they were able to track the\n        computers in \xe2\x80\x9clost\xe2\x80\x9d or \xe2\x80\x9cwrite-off\xe2\x80\x9d status. If management was able to track the\n        missing computers, they should have recorded the correct status in HPSD, their\n        inventory management system.\n\n\n\n\n                                             8\n\x0cSummary of Computers with Lost Status\nby Organization Effective January 2008\n    1200\n\n\n\n    1000   973\n\n\n\n    800\n                 662\n                       594\n    600\n\n\n\n    400\n                             305   302   298\n\n\n    200\n                                                   111                  122\n                                                         62   42   37\n      0\n\n\n\n\n                                               9\n\x0cSummary of Computers with Lost Status\nby Employee Status Effective January 2008\n\n\n    2500\n\n           1990\n    2000\n\n\n    1500\n\n\n    1000\n                  612\n    500                 406   341\n                                         174   158\n                                                     5   1\n      0\n\n\n\n\n                                    10\n\x0cFinding 1\xe2\x80\x94Inadequate Process for\nTracking Computers (continued)\n   Reasons for Lost Status\n   \xc2\x8b   According to Senior IS managers, computers drop out of inventory or\n       become misclassified for several reasons\n        \xe2\x80\x93 They were returned to stock for reissuance\n        \xe2\x80\x93 HPSD contains duplicate entries\n        \xe2\x80\x93 HPSD was not updated correctly when computers were retired and sent\n          to surplus\n        \xe2\x80\x93 They were actually lost or stolen\n        \xe2\x80\x93 They are held in Radiological Controlled Areas\n        \xe2\x80\x93 Some of the computers may never have been on the network, such as:\n             \xc2\x8b   Those held at the nuclear sites because they contain \xe2\x80\x9cSafeguards\xe2\x80\x9d\n                 information\n             \xc2\x8b   Those behind firewalls in a process control environment\n             \xc2\x8b   Those used as data acquisition devices\n\n\n                                           11\n\x0cFinding 1\xe2\x80\x94Inadequate Process for\nTracking Computers (continued)\n    Planned Improvements to Inventory Process\n    \xc2\x8b   During our field work, IS initiated a review of the HPSD inventory process\n        and developed a plan to improve the process. The plan addressed:\n         \xe2\x80\x93 Improvements in the receiving process to ensure computers are\n           recorded correctly in HPSD\n         \xe2\x80\x93 Improvements to the retirement process to ensure computers sent to\n           surplus are accurately recorded in HPSD\n         \xe2\x80\x93 Improvements in the tracking and recovery process for computers\n           disconnected for more than 30 days from the network\n         \xe2\x80\x93 Clean up HPSD for cases where receiving procedures were not\n           followed\n         \xe2\x80\x93 Reconcile HPSD with surplus computer inventory, and work with\n           owners to locate the remaining computers\n\n\n\n\n                                            12\n\x0cFinding 2\xe2\x80\x94Noncompliance with Procedures\nfor Handling Stolen Computers\n    \xc2\x8b   TVA policies, procedures, and practices for handling\n        computers reported as stolen were not followed\n        \xc2\x8b   TVAP received reports that 26 computer-related items, such as\n            laptops, desk-tops, PDAs, & computer screens, were stolen\n            during the period May 1, 2006, to November 30, 2007\n        \xc2\x8b   TVAP confirmed they generally did not notify IT Security when\n            they received a report of a stolen computer\n        \xc2\x8b   IT Security specialists did not recall TVAP notifying IT Security\n            of any computer thefts\n        \xc2\x8b   IT Security did not include the theft of computers in their\n            computer security incident database and recalled receiving\n            notification involving the theft of only one computer during the\n            review period (May 2006 to November 2007) and they\n            conducted an assessment of the information on the computer\n\n                                        13\n\x0cFinding 2\xe2\x80\x94Noncompliance with Procedures\nfor Handling Stolen Computers (continued)\n    Planned Improvements for Handling Stolen Computers\n    \xc2\x8b   TVA is planning to roll out an encryption project which will help\n        secure information on computers if they are lost or stolen\n    \xc2\x8b   IT Security has a draft policy on Computer Security and\n        Privacy Incident Response which better defines the roles and\n        responsibilities of those involved. However, the policy has\n        been in draft for several years.\n    \xc2\x8b   After being contacted during this project ,TVAP distributed an\n        e-mail to all TVAP Commanders reminding them to notify IT\n        Security of all reported computer thefts\n    \xc2\x8b   IT Security is planning an awareness article for all TVA\n        employees to be published in Inside TVA\n\n\n\n\n                                         14\n\x0cFinding 3\xe2\x80\x94PII and Sensitive Information\non Stolen/Lost Computers\n    \xc2\x8b   One of the laptops reported stolen contained employee social\n        security numbers because the user saved copies of employee\n        service reviews completed prior to the implementation of employee\n        identification numbers\n    \xc2\x8b   There is a moderate risk other sensitive or restricted information was\n        disclosed on the computers reported stolen because:\n         \xe2\x80\x93 The stolen computer users included a RAD Protection Manager,\n           Nuclear Electrical Engineers Manager, Nuclear Electrical\n           Maintenance Manager, and a Commercial Analyst\n    \xc2\x8b   The inability to track over 5,550 computers substantially increases\n        TVA\xe2\x80\x99s risk for the disclosure of sensitive or restricted information.\n        However, until a complete review of the computers classified as\n        \xe2\x80\x9clost\xe2\x80\x9d is conducted, we do not have sufficient information to know the\n        extent of that risk.\n\n                                        15\n\x0cRecommendations\n   \xc2\x8b   IS should:\n        \xe2\x80\x93 Implement the planned improvement for the inventory process in\n          HPSD\n        \xe2\x80\x93 Implement the laptop encryption project\n        \xe2\x80\x93 Initiate a project to locate the computers listed as lost in HPSD and\n          perform a risk assessment to determine if any of the truly lost\n          computers contained sensitive or restricted information\n        \xe2\x80\x93 IS should develop a process to follow-up when the status of computer\n          equipment moves to lost.\n   \xc2\x8b   Enterprise IT Security should:\n        \xe2\x80\x93 Follow up and conduct a risk analysis on the computers reported as\n          stolen\n        \xe2\x80\x93 Finalize the draft policy on Computer Security and Privacy Incident\n          Response\n   \xc2\x8b   TVA Management agreed with these recommendations and their planned\n       actions are attached.\n                                           16\n\x0c\x0c                                                                        Appendix\n                                                             Special Project\n                                      Review of TVA\xe2\x80\x99s Process For Handling Lost or Stolen Computers\n                                                           OIG File No. 20Z-315\n\n\n\n       Recommended Action Step                 Resp          Lead                                    Action Planned                               Estimated\n                                               Dept                                                                                               Complete\n\nImplement planned improvement for the           IO        Sam Boozer        Management agrees. Planned improvements will be documented            05/30/2008\ninventory process in HPSD.                                                  and implemented.\n\n\nImplement the laptop encryption project.        IO      Bill Brandenburg    Laptop encryption of My Documents folder was implemented on           03/28/2008\n                                                                            3/26/2008. Any laptop that has been connected to TVA network          - complete\n                                                                            since 3/26 has had the My Documents folder encrypted.\n\nInitiate a project to locate the computers    IO/EITS        Sam            Management agrees. A project has been initiated to perform and        06/30/2008\nlisted as lost in HPSD and perform a risk               Boozer/Gabrielle    complete these tasks.\nassessment to determine if any of the truly                 Ratliff\nlost computers contained sensitive or\nrestricted information.\n\n\nIS should develop a process to follow-up        IO        Sam Boozer        Management agrees. A process will be established.                     05/30/2008\nwhen the status of computer equipment\nmoves to lost.\n\n\nFollow-up and conduct a risk analysis on       EITS     Gabrielle Ratliff   Management agrees. EITS is working on streamlining the reporting      05/30/2008\nthe computers reported as stolen.                                           of missing and/or stolen computer equipment so that the appropriate\n                                                                            notifications are made in a consistent manner. EITS will issue an\n                                                                            awareness article for all TVA employees.\n\n\nFinalize the draft policy on Computer          EITS     Gabrielle Ratliff   TVA SPP 12.9 - Computer Security and Privacy Incident Response        05/05/2008\nSecurity and Privacy Incident Response.                                     has been finalized and was sent to Human Resource Services on\n                                                                            4/15/2008 to be published.\n\n\n\n\n05/02/2008\n\x0c'